From owner-freebsd-stable@FreeBSD.ORG Mon May 12 03:09:34 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4B9D37B401 for ; Mon, 12 May 2003 03:09:34 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id C104543FEA for ; Mon, 12 May 2003 03:09:33 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 97605 invoked by uid 0); 12 May 2003 10:09:33 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 1.21955 secs); 12 May 2003 10:09:33 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: matt-lists@braithwaite.net,stable@freebsd.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.21955 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 12 May 2003 10:09:31 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 12 May 2003 05:09:31 -0500 Sender: pang@FreeBSD.ORG Message-ID: <3EBF72DA.AB134EF0@dolaninformation.com> Date: Mon, 12 May 2003 05:09:30 -0500 From: Greg Panula Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Matthew Braithwaite References: <1a5401c2db63$945db690$52557f42@errno.com> <86llxdb0h9.fsf@limekiller.braithwaite.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: stable@freebsd.org Subject: Re: iHEADS UP: ipsec packet filtering change X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.panula@dolaninformation.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2003 10:09:35 -0000 Matthew Braithwaite wrote: > > On Sun, 23 Feb 2003 09:47:05 -0800, "Sam Leffler" said: > > > >> Add a new config option IPSEC_FILTERGIF to control whether or not > >> packets coming out of a GIF tunnel are re-processed by ipfw, > >> et. al. By default they are not reprocessed. With the option they > >> are. > > > > This may affect your ipfw/ipf rules. If you are happy with the > > current behaviour then add IPSEC_FILTERGIF to your kernel config > > file. > > I'm sure this was discussed to death somewhere, since it's a reversion > of an earlier change, but just to beat a dead horse ... I encountered > this change in a surprising way: > > Being new to IPSec, I started by setting up a gif tunnel (without > IPSec) between my singly-homed host, fred, running FreeBSD: > > ep0 192.168.0.2/24 > gif0 ${mynet}.27 -> ${mynet}.17 > tunnel 192.168.0.2 -> 192.168.0.1 > > and a dual-homed host, bob, running NetBSD: > > tlp0 ${mynet}.24/28 > tlp1 192.168.0.1/24 > gif0 ${mynet}.24 -> ${mynet}.27 > tunnel 192.168.0.1 -> 192.168.0.2 > > I did this so I could test the tunneling and the firewalling, and then > introduce IPSec after I knew all that was working. Fred's firewall at > this point would pass only ipencap packets over ep0, and I filtered > the untunneled traffic on gif0. That worked just fine; fred's > firewall saw both incoming and outgoing traffic on gif0 and filtered > it. > > But then I turned on IPSec AH between 192.168.0.1 and 192.168.0.2, and > changed fred's firewall to pass ah instead of ipencap on ep0. When I > made this change, fred's firewall continued seeing outbound packets on > gif0, but stopped seeing inbound packets. The inbound packets on gif0 > started bypassing the firewall entirely! > > Setting IPSEC_FILTERGIF fixed this, of course. But it seemed (and > still seems) quite unintuitive: why should the presence or absence of > IPSec over a tunnel determine whether firewall rules get applied? And > what sense does it make to firewall outbound packets on gif0 but not > incoming packets? > > I'm sure it makes sense from some perspective; I just wanted to > contribute my confused little experience. :-) You don't really need the gif tunnels for ipsec. Gif is more geared towards ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's mention using gif tunnels and I've been tripped up by it, too. ipsec is much easier without the gif tunnels. The ipsec policy definition is explained in the setkey man page. Basically for tunnels it is: spdadd ${remote net} ${local net} any -P in ipsec esp/tunnel/${remote gateway}-${local gateway}/unqiue; and spdadd ${local net} ${remote net} any -P out ipsec esp/tunnel/${local gateway}-${remote gateway}/unique; In your example above it looks like you just want to encrypt traffic between two hosts in the same subnet. So, you would just use transport mode instead of tunnel. Something like: (for fred) spdadd 192.168.0.1 192.168.0.2 any -P in esp/transport//unique; spdadd 192.168.0.2 192.168.0.1 any -P out esp/transport//unique; greg